PHILADELPHIA (CN) – CVS is not liable for selling prescription-related information about consumers to pharmaceutical companies, a federal judge ruled.
A class action accused the pharmacy giant of making millions by selling “confidential prescription information” to some of the nation’s largest drugmakers, including Eli Lilly, Merck, AstraZeneca and Bayer.
The Philadelphia Federation of Teachers Health and Welfare Fund said CVS violated Pennsylvania’s Consumer Protection Law by failing to disclose that third parties could buy the confidential information.
According to the March 2011 suit, “in exchange for the receipt of funds, direct promotional letters were sent to physicians of consumers by defendant CVS Caremark in order to promote and tout specific prescription drugs of pharmaceutical manufacturers who contracted with defendant CVS Caremark for the sale and/or use of prescription information.”
Those mailers, funded by Big Pharma, identified customers by name, date of birth and the medication the customer was prescribed, the suit said.
They also “urged physicians to consider alternative medications for consumers” as part of what CVS dubbed an “RxReview Program,” the suit claimed.
Consumers said the program flew in the face of the pharmacy’s “public pronouncements as to the sanctity of both consumers’ privacy and the physician-patient relationship.”
U.S. District Judge Mary McLaughlin dismissed the case last week, finding that CVS did not sell protected health information.
The suit “repeatedly refers to the defendants’ sale of ‘confidential prescription information’ to pharmaceutical companies and third-party data firms, but does not elaborate on what ‘confidential prescription information’ is or what parts of that data were in fact disclosed to third parties,” she found.
It also “refer[s] interchangeably to the defendants’ sale of ‘protected health information,’ ‘individually identifiable health information,’ and ‘confidential prescription information,’ without identifying what that information consists of,” the 28-page opinion states.
McLaughlin noted that the plaintiffs conceded at oral argument that the information at issue “was de-identified within the meaning of HIPAA [Health Insurance Portability and Accountability Act].”
Health care providers can de-identify protected health information under HIPAA’s Privacy Rule, at which point the information is no longer protected, she added. /
“Counsel acknowledged that the information that the plaintiffs allege was sold to pharmaceutical companies and third party data firms did not contain patient names, birth dates, or Social Security numbers. Instead, the information sold consisted of a combination of medical history, prescription drugs given, dates of prescriptions, diagnoses, and physician names, lacking identifying information,” McLaughlin wrote.
The class wanted to proceed on a theory that the de-identified information could be manipulated to re-identify individual patients in violation of HIPAA.
But McLaughlin didn’t buy it. “Because it finds that the defendants have not disclosed legally protected information, [the court] will grant the defendants’ motion,” she wrote.
The judge declined to afford plaintiffs an opportunity to amend, dismissing their case with prejudice.